The Prometei botnet has been an ongoing threat since Cisco Talos first reported on it in 2020. As of November 2022, the botnet has improved its infrastructure components and capabilities, including certain submodules of the execution chain that automate processes and challenge forensic analysis methods. Based on data obtained by sinkholing the DGA domains over a one-week period in February 2023, the Prometei v3 botnet is estimated to be of medium size, with more than 10,000 infected systems worldwide. The actors have been actively spreading improved Linux versions of the bot, continuously improving the current version.
Recent observations have revealed previously undocumented functionality, such as an alternative C2 domain generating algorithm, a self-updating mechanism, and a bundled version of the Apache Webserver with a web shell deployed onto victim hosts, improving the overall technical capabilities of the botnet. Additionally, the bot's targeting may have been influenced by the war in Ukraine, as the only excluded country in the Tor configuration is Russia, as opposed to earlier variants, which also avoided exit nodes in other CIS countries.
Prometei primarily deploys the Monero cryptocurrency miner and has worm-like capabilities, posing a persistent threat to organizations. Talos has observed the botnet's financial motivation through cryptocurrency mining and credential theft activity, with infections likely opportunistic, targeting vulnerable entities in all regions and industry verticals.
Based on data acquired through sinkholing the DGA domains, the geographical distribution of infected systems is proportional to the population of the countries, with traffic captured from 155 countries. The most populous countries have the largest number of infected systems, with exceptions in Brazil, Indonesia, and Turkey displaying a higher proportion of infections compared to those countries' populations. Russia stands out as having a disproportionately smaller number of infections, accounting for 0.31 percent of all infected systems, supporting the assessment that the bot's targeting is influenced by the Russia-Ukraine conflict based on its Tor configuration.
The Prometei threat remains ongoing and is expected to evolve for the foreseeable future. The botnet's common C2 infrastructure continues to show a steady stream of activity, with the operators consistently rotating its malware and cryptomining hosts. The regular updating and expansion of Prometei's modules demonstrate commitment and technical knowledge that will enable them to continue proliferating the botnet to new victims and adapting to new defenses and protections. The addition of backdoor capabilities and a bundled web shell could indicate the operators' efforts to add persistence measures to keep Prometei active on targeted machines or a gradual shift or expansion to other types of payloads and activity.